Humanity Protocol Shifts to Key Security After $36M Hack
Humanity Protocol will put more focus on private-key and operational security after a compromised employee laptop exposed enough credentials to control its token infrastructure on Ethereum and BNB Smart Chain.
Founder Terence Kwok said the June attack showed that protecting production private keys is as important as auditing smart contracts. The project has not published a full list of new controls.
One Laptop Exposed Seven Production Keys
The breach traced back to Humanity Protocol’s June 2025 mainnet launch, when production keys were inadvertently backed up on one employee device. The machine stored an admin hot-wallet key, three Ethereum Safe owner keys and three BNB Smart Chain Safe owner keys.
Malware gave the attacker root access to the laptop. The stolen credentials met the approval thresholds for both multisignature setups, allowing transactions and contract upgrades to appear authorized on-chain.
On Ethereum, the attacker drained about 6 million H from an admin wallet, seized control of the bridge and removed roughly 141 million more tokens. On BNB Smart Chain, the compromised keys were used to mint 300 million H.
Contracts and Safe Software Were Not Exploited
Humanity Protocol said its contracts and Safe software were not exploited. The failure came from keeping enough signing authority on one machine. That distinction has shaped the project’s recovery message.
Kwok said Humanity Protocol is rebuilding around the lesson that operational controls cannot sit behind smart contract security. The project has not said whether its revised system will use hardware-separated signers, institutional custody or different approval thresholds.
Researchers Link Phishing Tooling to North Korea-Linked Tactics
An independent investigation found that the malware arrived through a phishing attachment presented as a token lockup update from South Korean exchange Bithumb. Researchers said the tooling matched methods associated with North Korea-linked attackers.
The incident affected about 447 million H tokens across both chains and caused an estimated loss of more than $36 million. Humanity Protocol halted bridge activity and offered a $1 million USDT bounty for information leading to asset recovery.
Recovery Now Depends on Signer Separation
The project later replaced its token contracts and prepared a one-for-one distribution for eligible holders based on balances recorded before the attack. It also created a compensation process for liquidity providers, protocol integrations and qualifying post-snapshot buyers.
Humanity Protocol must now complete compensation work, secure production access across devices and operators, and show that one compromised device cannot again expose enough signers to control the system.